- Notes, cautions, and warnings
- Introduction to this guide
- PowerScale scale-out NAS
- General cluster administration
- General cluster administration overview
- User interfaces
- Connecting to the cluster
- Licensing
- Certificates
- Viewing and Editing TLS Authority Certificates
- Importing TLS Authority Certificates
- Replacing TLS Authority Certificates - Overview
- Deleting TLS Authority Certificates
- Viewing and Editing TLS Server Certificates
- Importing TLS Server Certificates
- Configuring TLS Certificate Settings
- TLS certificate data example
- Cluster identity
- Cluster date and time
- SMTP email settings
- Configuring the cluster join mode
- File system settings
- Security hardening
- Cluster monitoring
- Monitoring cluster hardware
- Events and alerts
- Cluster maintenance
- SupportAssist
- SRS Summary
- Access zones
- Authentication
- Authentication overview
- Authentication provider features
- Security Identifier (SID) history overview
- Supported authentication providers
- Active Directory
- LDAP
- NIS
- Kerberos authentication
- File provider
- Local provider
- Multifactor authentication (MFA)
- Single sign-on overview
- Multi-instance active directory
- LDAP public keys
- Managing Active Directory providers
- Managing LDAP providers
- Managing NIS providers
- Managing MIT Kerberos authentication
- Managing file providers
- Managing local users and groups
- View a list of users or groups by provider
- Create a local user
- Create a local group
- Naming rules for local users and groups
- Modify a local user
- Modify a local group
- Delete a local user
- Delete a local group
- Configure a login delay
- Set a concurrent session limit
- Set a new user account to disable when inactive
- Set an existing user account to disable when inactive
- Configure minimum password requirements
- Configure the password hash type
- Set password expiration
- Set minimum new password changes
- Set lock users criteria
- Reset a user password
- Managing SSO
- Administrative roles and privileges
- Identity management
- Home directories
- Home directories overview
- Home directory permissions
- Authenticating SMB users
- Home directory creation through SMB
- Home directory creation through SSH and FTP
- Home directory creation in a mixed environment
- Interactions between ACLs and mode bits
- Default home directory settings in authentication providers
- Supported expansion variables
- Domain variables in home directory provisioning
- Data access control
- File sharing
- File sharing overview
- SMB security
- SMB shares in access zones
- SMB Multichannel
- SMB share management through MMC
- SMBv3 encryption
- SMB server-side copy
- SMB continuous availability
- SMB file filtering
- Symbolic links and SMB clients
- Anonymous access to SMB shares
- Managing SMB settings
- Managing SMB shares
- Create an SMB share
- Modify SMB share permissions, performance, or security
- Delete an SMB share
- Limit access to /ifs share for the Everyone account
- Configure anonymous access to a single SMB share
- Configure anonymous access to all SMB shares in an access zone
- Add a user or group to an SMB share
- Configure multi-protocol home directory access
- NFS security
- FTP
- HTTP and HTTPS security
- File filtering
- Auditing
- Auditing overview
- Syslog
- Syslog forwarding and TLS
- OpenBSM service
- Protocol audit events
- Audit log purging
- Managing audit settings
- Enable configuration change auditing
- Forward configuration changes to syslog
- Enable protocol access auditing
- Forward protocol access events to syslog
- Configure protocol audited zones
- Configure protocol event filters
- Enable system auditing and forwarding
- Import certificate for TLS syslog forwarding
- Set the audit hostname
- View audit settings
- Automatic deletion
- Manual deletion
- Integrating with the Common Event Enabler
- Tracking the delivery of protocol audit events
- Snapshots
- Snapshots overview
- Data protection with SnapshotIQ
- Snapshot disk-space usage
- Snapshot schedules
- Snapshot aliases
- File and directory restoration
- Best practices for creating snapshots
- Best practices for creating snapshot schedules
- File clones
- Snapshot locks
- Snapshot reserve
- Writable snapshots
- SnapshotIQ license functionality
- Creating snapshots with SnapshotIQ
- Managing snapshots
- Restoring snapshot data
- Managing snapshot schedules
- Managing snapshot aliases
- Managing with snapshot locks
- Configure SnapshotIQ settings
- Set the snapshot reserve
- Managing changelists
- Deduplication with SmartDedupe
- Data replication with SyncIQ
- SyncIQ data replication overview
- Replication policies and jobs
- Replication snapshots
- Data failover and failback with SyncIQ
- Recovery times and objectives for SyncIQ
- Replication policy priority
- SyncIQ license functionality
- Replication for nodes with multiple interfaces
- Restrict SyncIQ source nodes
- Creating replication policies
- Managing replication to remote clusters
- Initiating data failover and failback with SyncIQ
- Performing disaster recovery for older SmartLock directories
- Managing replication policies
- Managing replication to the local cluster
- Managing replication performance rules
- Managing replication reports
- Managing failed replication jobs
- Data Encryption with SyncIQ
- Data Transfer with Datamover (SmartSync)
- Data layout with FlexProtect
- Large file size support
- NDMP backup and recovery
- NDMP backup and recovery overview
- NDMP two-way backup
- NDMP three-way backup
- Support for NDMP sessions on Generation 6 hardware
- Setting preferred IPs for NDMP three-way operations
- NDMP multi-stream backup and recovery
- Snapshot-based incremental backups
- NDMP backup and restore of SmartLink files
- NDMP protocol support
- Supported DMAs
- NDMP hardware support
- NDMP backup limitations
- NDMP performance recommendations
- Excluding files and directories from NDMP backups
- Configuring basic NDMP backup settings
- Managing NDMP user accounts
- NDMP environment variables overview
- Managing NDMP contexts
- Managing NDMP sessions
- Managing NDMP Fibre Channel ports
- Managing NDMP preferred IP settings
- Managing NDMP backup devices
- NDMP dumpdates file overview
- NDMP restore operations
- Sharing tape drives between clusters
- Managing snapshot based incremental backups
- Managing cluster performance for NDMP sessions
- Managing CPU usage for NDMP sessions
- File retention with SmartLock
- SmartLock overview
- Compliance mode
- Enterprise mode
- SmartLock directories
- Replication and backup with SmartLock
- SmartLock license functionality
- SmartLock considerations
- Set the compliance clock
- View the compliance clock
- Creating a SmartLock directory
- Managing SmartLock directories
- Managing files in SmartLock directories
- Set a retention period through a UNIX command line
- Set a retention period through Windows Powershell
- Commit a file to a WORM state through a UNIX command line
- Commit a file to a WORM state through Windows Explorer
- Override the retention period for all files in a SmartLock directory
- Delete a file committed to a WORM state
- View WORM status of a file
- Protection domains
- Data-at-rest-encryption
- Data-at-rest encryption overview
- Self-encrypting drives
- Data security on self-encrypting drives
- Data migrations and upgrades to a cluster with self-encrypting drives
- Enabling external key management
- Migrate nodes and SEDs to external key management
- Chassis and drive states
- Smartfailed drive REPLACE state
- Smartfailed drive ERASE state
- S3 Support
- SmartQuotas
- SmartQuotas overview
- Quota types
- Default quota type
- Usage accounting and limits
- Disk-usage calculations
- Quota notifications
- Quota notification rules
- Quota reports
- Creating quotas
- Managing quotas
- Managing quota notifications
- Email quota notification messages
- Managing quota reports
- Basic quota settings
- Advisory limit quota notification rules settings
- Soft limit quota notification rules settings
- Hard limit quota notification rules settings
- Limit notification settings
- Quota report settings
- Storage Pools
- Storage pools overview
- Storage pool functions
- Autoprovisioning
- Node pools
- Virtual hot spare
- Spillover
- Suggested protection
- Protection policies
- SSD strategies
- Other SSD mirror settings
- Global namespace acceleration
- L3 cache overview
- Tiers
- File pool policies
- Managing node pools in the web administration interface
- Managing L3 cache from the web administration interface
- Managing tiers
- Creating file pool policies
- Managing file pool policies
- Configure default file pool protection settings
- Default file pool requested protection settings
- Configure default I/O optimization settings
- Default file pool I/O optimization settings
- Modify a file pool policy
- Prioritize a file pool policy
- Create a file pool policy from a template
- Delete a file pool policy
- Monitoring storage pools
- Pool-based tree reporting in FSAnalyze (FSA)
- System jobs
- Networking
- Networking overview
- About the internal network
- About the external network
- Configuring the internal network
- Managing IPv6
- Managing groupnets
- Managing external network subnets
- Managing IP address pools
- Managing SmartConnect Settings
- Managing network interface members
- Managing node provisioning rules
- Managing routing options
- Managing DNS cache settings
- Managing host-based firewalls
- Modify the OneFS firewall service
- Create a firewall policy
- View a firewall policy
- Create a firewall rule
- View a firewall rule
- Modify a firewall rule
- Delete a firewall rule
- Clone a firewall policy
- Delete a firewall policy
- Associate a network subnet or pool to a firewall policy
- Reset the global default firewall policies
- Managing TCP ports
- NFS3oRDMA
- Smart QoS
- Antivirus
- Antivirus overview
- On-access scanning
- ICAP Antivirus policy scanning
- Individual file scanning using ICAP
- WORM files and antivirus
- Antivirus scan reports
- ICAP servers
- CAVA servers
- ICAP threat responses
- CAVA threat responses
- Configuring global antivirus settings
- Managing ICAP servers
- Managing CAVA servers
- Add and connect to a CAVA server
- List or view CAVA servers
- Modify CAVA connection settings
- Disable connection to a CAVA server
- Delete connection to a CAVA server
- Add a job to a CAVA server
- View an IP pool in a CAVA server
- Create an Active Directory authentication provider for the AvVendor access zone
- Update the role in the access zone
- Scan CloudPool files in a CAVA server
- Create an antivirus policy
- Managing ICAP antivirus policies
- Managing antivirus scans
- Managing antivirus threats
- Managing antivirus reports
- File System Explorer
PowerScale OneFS 9.5.0.0 Web Administration Guide
ACL policy settings
You can configure an access control list (ACL) policy by choosing from the available settings options.
Environment
Depending on the environment you select, the system will automatically select the General ACL Settings and Advanced ACL Settings options that are optimal for that environment. You also have the option to manually configure general and advanced settings.
- Balanced
- Enables PowerScale cluster permissions to operate in a mixed UNIX and Windows environment. This setting is recommended for most PowerScale cluster deployments.
- UNIX only
- Enables PowerScale cluster permissions to operate with UNIX semantics, as opposed to Windows semantics. Enabling this option prevents ACL creation on the system.
- Windows only
- Enables PowerScale cluster permissions to operate with Windows semantics, as opposed to UNIX semantics. Enabling this option causes the system to return an error on UNIX chmod requests.
- Custom environment
- Allows you to configure General ACL Settings and Advanced ACL Settings options.
General ACL Settings
- ACL Creation Through SMB
- Specifies whether to allow or deny creation of ACLs over SMB. Select one of the following options:
- Do not allow ACLs to be created through SMB
- Prevents ACL creation on the cluster.
- Allow ACLs to be created through SMB
- Allows ACL creation on the cluster.
NOTE:Inheritable ACLs on the system take precedence over this setting. If inheritable ACLs are set on a folder, any new files and folders that are created in that folder inherit the folder's ACL. Disabling this setting does not remove ACLs currently set on files. If you want to clear an existing ACL, run the chmod -b <mode> <file> command to remove the ACL and set the correct permissions. - Use the chmod Command On Files With Existing ACLs
- Specifies how permissions are handled when a
chmod operation is initiated on a file with an ACL, either locally or over NFS. This setting controls any elements that affect UNIX permissions, including File System Explorer. Enabling this policy setting does not change how
chmod operations affect files that do not have ACLs. Select one of the following options:
- Remove the existing ACL and set UNIX permissions instead
- For chmod operations, removes any existing ACL and instead sets the chmod permissions. Select this option only if you do not need permissions to be set from Windows.
- Remove the existing ACL and create an ACL equivalent to the UNIX permissions
- Stores the UNIX permissions in a new Windows ACL. Select this option only if you want to remove Windows permissions but do not want files to have synthetic ACLs.
- Remove the existing ACL and create an ACL equivalent to the UNIX permissions, for all users/groups referenced in old ACL
- Stores the UNIX permissions in a new Windows ACL only for users and groups that are referenced by the old ACL. Select this option only if you want to remove Windows permissions but do not want files to have synthetic ACLs.
- Merge the new permissions with the existing ACL
- Merges permissions that are applied by chmod with existing ACLs. An ACE for each identity (owner, group, and everyone) is either modified or created, but all other ACEs are unmodified. Inheritable ACEs are also left unmodified to enable Windows users to continue to inherit appropriate permissions. However, UNIX users can set specific permissions for each of those three standard identities.
- Deny permission to modify the ACL
- Prevents users from making NFS and local chmod operations. Enable this setting if you do not want to allow permission sets over NFS.
- Ignore operation if file has an existing ACL
- Prevents an NFS client from changing the ACL. Select this option if you defined an inheritable ACL on a directory and want to use that ACL for permissions.
CAUTION:If you try to run the chmod command on the same permissions that are currently set on a file with an ACL, you may cause the operation to silently fail. The operation appears to be successful, but if you were to examine the permissions on the cluster, you would notice that the chmod command had no effect. As an alternative, you can run the chmod command away from the current permissions and then perform a second chmod command to revert to the original permissions. For example, if the file shows 755 UNIX permissions and you want to confirm this number, you could run chmod 700 file; chmod 755 file. - ACLs Created On Directories By the chmod Command
- On Windows systems, the ACEs for directories can define detailed inheritance rules. On a UNIX system, the mode bits are not inherited. Making ACLs that are created on directories by the
chmod command inheritable is more secure for tightly controlled environments but may deny access to some Windows users who would otherwise expect access. Select one of the following options:
- Make ACLs inheritable
- Do not make ACLs inheritable
- Use the chown/chgrp On Files With Existing ACLs
- Changes the user or group that has ownership of a file or folder. Select one of the following options:
- Modify only the owner and/or group
- Enables the chown or chgrp operation to perform as it does in UNIX. Enabling this setting modifies any ACEs in the ACL associated with the old and new owner or group.
- Modify the owner and/or group and ACL permissions
- Enables the NFS chown or chgrp operation to function as it does in Windows. When a file owner is changed over Windows, no permissions in the ACL are changed.
- Ignore operation if file has an existing ACL
- Prevents an NFS client from changing the owner or group.
NOTE:Over NFS, the chown or chgrp operation changes the permissions and user or group that has ownership. For example, a file that is owned by user Joe with rwx------ (700) permissions indicates rwx permissions for the owner, but no permissions for anyone else. If you run the chown command to change ownership of the file to user Bob, the owner permissions are still rwx but they now represent the permissions for Bob, rather than for Joe, who lost all of his permissions. This setting does not affect UNIX chown or chgrp operations that are performed on files with UNIX permissions, and it does not affect Windows chown or chgrp operations, which do not change any permissions. - Access checks (chmod, chown)
- In UNIX environments, only the file owner or superuser has the right to run a
chmod or
chown operation on a file. In Windows environments, you can implement this policy setting to give users the right to perform
chmod operations that change permissions, or the right to perform
chown operations that take ownership, but do not give away ownership. Select one of the following options:
- Allow only the file owner to change the mode or owner of the file (UNIX model)
- Enables chmod and chown access checks to operate with UNIX-like behavior.
- Allow the file owner and users with WRITE_DAC and WRITE_OWNER permissions to change the mode or owner of the file (Windows model)
- Enables chmod and chown access checks to operate with Windows-like behavior.
Advanced ACL Settings
- Treatment of 'rwx' permissions
- In UNIX environments, rwx permissions indicate that a user or group has read, write, and execute permissions and that a user or group has the maximum level of permissions.
When you assign UNIX permissions to a file, no ACLs are stored for that file. Because a Windows system processes only ACLs, the PowerScale cluster must translate the UNIX permissions into an ACL when you view a file's permissions on a Windows system. This type of ACL is called a synthetic ACL. Synthetic ACLs are not stored anywhere; instead, they are dynamically generated and discarded as needed. If a file has UNIX permissions, you may notice synthetic ACLs when you run the ls file command to view a file’s ACLs.
When you generate a synthetic ACL, the PowerScale cluster maps UNIX permissions to Windows rights. Windows supports a more granular permissions model than UNIX does, and it specifies rights that cannot easily be mapped from UNIX permissions. If the PowerScale cluster maps rwx permissions to Windows rights, you must enable one of the following options:
- Retain 'rwx' permissions
- Generates an ACE that provides only read, write, and execute permissions.
- Treat 'rwx' permissions as Full Control
- Generates an ACE that provides the maximum Windows permissions for a user or a group by adding the change permissions right, the take ownership right, and the delete right.
- Group Owner Inheritance
- Operating systems tend to work with group ownership and permissions in two different
PowerScale group owner from the file creator's primary group. If you enable a setting that causes the group owner to be inherited from the creator's primary group, you can override it on a per-folder basis by running the
chmod command to set the set-gid bit. This inheritance applies only when the file is created. For more information, see the manual page for the
chmod command.
Select one of the following options:
- When an ACL exists, use Linux and Windows semantics, otherwise use BSD semantics
- Specifies that if an ACL exists on a file, the group owner is inherited from the file creator's primary group. If there is no ACL, the group owner is inherited from the parent folder.
- BSD semantics - Inherit group owner from the parent folder
- Specifies that the group owner be inherited from the file's parent folder.
- Linux and Windows semantics - Inherit group owner from the creator's primary group
- Specifies that the group owner be inherited from the file creator's primary group.
- chmod (007) On Files With Existing ACLs
- Specifies whether to remove ACLs when running the
chmod (007) command. Select one of the following options.
- chmod(007) does not remove existing ACL
- Sets 007 UNIX permissions without removing an existing ACL.
- chmod(007) removes existing ACL and sets 007 UNIX permissions
- Removes ACLs from files over UNIX file sharing (NFS) and locally on the cluster through the chmod (007) command. If you enable this setting, be sure to run the chmod command on the file immediately after using chmod (007) to clear an ACL. In most cases, you do not want to leave 007 permissions on the file.
- Approximate Owner Mode Bits When ACL Exists
- Windows ACLs are more complex than UNIX permissions. When a UNIX client requests UNIX permissions for a file with an ACL over NFS, the client receives an approximation of the file's actual permissions. Running the
ls -l command from a UNIX client returns a more open set of permissions than the user expects. This permissiveness compensates for applications that incorrectly inspect the UNIX permissions themselves when determining whether to try a file-system operation. The purpose of this policy setting is to ensure that these applications go with the operation to allow the file system to correctly determine user access through the ACL. Select one of the following options:
- Approximate owner mode bits using all possible group ACEs in ACL
- Causes the owner permissions appear more permissive than the actual permissions on the file.
- Approximate owner mode bits using only the ACE with the owner ID
- Causes the owner permissions appear more accurate, in that you see only the permissions for a particular owner and not the more permissive set. This may cause access-denied problems for UNIX clients, however.
- Approximate Group Mode Bits When ACL Exists
- Select one of the following options for group permissions:
- Approximate group mode bits using all possible group ACEs in ACL
- Makes the group permissions appear more permissive than the actual permissions on the file.
- Approximate group mode bits using only the ACE with the group ID
- Makes the group permissions appear more accurate, in that you see only the permissions for a particular group and not the more permissive set. This may cause access-denied problems for UNIX clients, however.
- Synthetic "deny" ACEs
- The Windows ACL user interface cannot display an ACL if any deny ACEs are out of canonical ACL order. To correctly represent UNIX permissions, deny ACEs may be required to be out of canonical ACL order. Select one of the following options:
- Do not modify synthetic ACLs and mode bit approximations
- Prevents modifications to synthetic ACL generation and allows “deny” ACEs to be generated when necessary.
CAUTION:This option can lead to permissions being reordered, permanently denying access if a Windows user or an application performs an ACL get, an ACL modification, and an ACL set to and from Windows.
- Remove “deny” ACEs from ACLs. This setting can cause ACLs to be more permissive than the equivalent mode bits
- Does not include deny ACEs when generating synthetic ACLs.
- Access check (utimes)
- You can control who can change utimes, which are the access and modification times of a file. Select one of the following options:
- Allow only owners to change utimes to client-specific times (POSIX compliant)
- Allows only owners to change utimes, which complies with the POSIX standard.
- Allow owners and users with ‘write’ access to change utimes to client-specific times
- Allows owners as well as users with write access to modify utimes, which is less restrictive.
- Read-only DOS attribute
-
- Deny permission to modify files with DOS read-only attribute over Windows Files Sharing (SMB)
- Duplicates DOS-attribute permissions behavior over only the SMB protocol, so that files use the read-only attribute over SMB.
- Deny permission to modify files with DOS read-only attribute through NFS and SMB
- Duplicates DOS-attribute permissions behavior over both NFS and SMB protocols. For example, if permissions are read-only on a file over SMB, permissions are read-only over NFS.
- Displayed mode bits
-
- Use ACL to approximate mode bits
- Displays the approximation of the NFS mode bits that are based on ACL permissions.
- Always display 777 if ACL exists
- Displays 777 file permissions. If the approximated NFS permissions are less permissive than those in the ACL, you may want to use this setting so the NFS client does not stop at the access check before performing its operation. Use this setting when a third-party application may be blocked if the ACL does not provide the proper access.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\